Академический Документы
Профессиональный Документы
Культура Документы
Cyber Threats
to National Security
July 2010
UNCLASSIFIED
Cyber Threats to National Security
Symposium One: Countering Challenges to the Global Supply Chain
Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …2
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …3
1.1 An Unprecedented Asymmetric Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …3
1.2 The Cyber Challenge to U.S. National Supply Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …4
1.3 National Response to the Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 5
2 Assessing the Cyber Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…6
2.1 The Realities of the Growing Cyber Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …7
2.1.1 The Highly Asymmetric Nature of Cyber Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …7
2.2 Cyber Threats Affect Everyone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …9
2.2.1 Impact on Government . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …10
2.2.2 Impact on the Private Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …10
2.2.3 Impact on Individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …10
2.2.4 Impacts at the International Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …11
3 Securing Supply Chains in the Cyber World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
…1
3.1 Supply Chain Threats and Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …11
3.2 Securing the Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …13
3.2.1 The Information Technology Supply Chain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…13
3.3 Operational Perspectives on Securing the National Security/Defense Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…15
4 The Way Forward: A View From the Hill and Beyond . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …17
4.1 Legislative Branch Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 17
4.2 Executive Branch Action: Developing and Defining Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …19
4.2.1 Aligning Agency Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …19
4.2.2 Defining Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…19
4.2.3 The Role of Diplomacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …20
4.3 A Private-Public Partnership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …21
4.4 The Critical Role of Education and Individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 22
5 Findings and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 23
5.1 Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . … 25
5.2 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …26
5.3 Defining Cybersecurity Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…26
5.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . …27
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…28
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .…31
Executive Summary interwoven with those of every nation, both friendly and
hostile to U.S. interests.
In the cyber age, the nature of the supply chain must be re-
The United States is faced with an unprecedented asym- examined. The vast majority of U.S. supply chains rely on
metric threat to its national security, one to which the information technologies to carry out their functions and
public is not yet fully awake. Of increasing importance, processes. At the same time, the convergence of computer
it is a threat to the nation’s vast information assets, net- and communications technologies potentially compromises
works, and systems that operate in cyberspace. Within every information system worldwide. Threats to both pri-
this context, it is critical to look at the cyber threat to the vate and government supply chains are equally affected.
nation’s supply chains. Even as cyber threats mount, it is also clear that solutions to
these threats also reside in the cyber domain. Technologies
Assessing the Cyber Threat that can be turned against a nation can also be the source of
Cyber threats are asymmetric because attacks may be its defense. The U.S. must commit time, funding, and ex-
perpetrated by the few upon the many, with little cost pertise to fully exploring this aspect of cyberspace.
and resources. Cyber attacks are typically anonymous,
launched from any of billions of sources worldwide. The Way Forward
Impacts may be immediate and obvious, or dormant and To enforce cybersecurity of U.S. supply chains, it is nec-
subtle, eluding recognition for years. Degrees of dam- essary for the government and its citizens to engage in a
age can range from inconvenient downtime of personal unique collaborative effort. Every user of a cyber-enabled
systems to the life-threatening destruction of critical in- device has in their hands a point of vulnerability and a
frastructures. source of potential attack, and is a potential cyber warrior.
Cyber threats are growing and will impact everyone. The Congress and the executive branch must engage coopera-
increasing global dependence on technology has only tively in defining roles and responsibilities. Diplomatic
increased vulnerability to it. In turn, increased connectiv- solutions must be explored, and a public-private partnership
ity has exacerbated existing security threats. Developing must develop. Responsibility must be shared among the
an effective and comprehensive national cybersecurity government, the private sector, and every private citizen to
strategy to counter these threats is paramount. protect U.S. cyber assets.
A key component of this strategy will be a capability to
protect U.S. supply chains from mounting cyber threats. Recommendations
Supply chains provide goods and services that are es-
A number of recommendations may be made to advance
sential to the functions of the U.S. government and its
the national understanding of cyber threats in general and
economy, the well-being of Americans, and the support
supply chain threats in particular. The U.S. must:
and protection of American troops worldwide.
1. Ensure the nation is prepared to react to and preempt
Securing Supply Chains cyber attacks;
Historically, U.S. supply chains have been largely im-
2. Make supply chain security part of the establishment
mune to threat because the most critical supply chains
of an overall cyber intelligence capability;
were internal to North America, far from the influence of
foreign actors. This is no longer true in the cyber age. 3. Develop the ability to build a limited number of
During the last 25 years, globalization has increasingly computer and communication systems that are
compromised U.S. supply chain immunity. The world- absolutely certain to be secure; and
wide cyber domain has also become increasingly essential
4. Carry out a sustained strategic communications
to every aspect of governmental, commercial, and per-
campaign to provide the public with a realistic
sonal life. U.S. communications, command, and control
appreciation of the cyber threat.
technologies and capabilities have become inextricably
2 Assessing the
The lead role in developing and enacting U.S.
cybersecurity policy is shared by the legislative and
executive branches of government. A concerted response Cyber Threat
by these branches will strengthen legal authorities,
establish and clarify roles and responsibilities, and
change public perceptions. Looking at the cyber threat environment, it is clear that
adversaries of the U.S. have compromised the nation’s
Congress must consider a number of factors in
interests. The computers of the nation’s own citizens are
enacting legislation specifically focused on improving
infected with malicious software and unwittingly being
cybersecurity. It must establish a U.S. capability to
used against U.S. interests. The federal government is
monitor emerging technologies and rapidly respond
constantly under attack. U.S. critical infrastructure is being
to threats from any source. It must tailor legislation to
targeted and explored by adversaries on a daily basis.11
the executive agencies in which these capabilities will
reside and be implemented. Budget constraints must The Center for Strategic and International Studies
be considered, while Constitutional limits of federal (CSIS) found that more than 50 percent of businesses
power and the rights of local and state governments are operating critical infrastructure, including electrical
respected. Privacy and other individual rights also must grids and gas and oil supplies, have experienced cyber
not be infringed. attacks at a cost of millions of dollars each day, posing a
significant threat to essential services.12
The President must continue to make cybersecurity
a national priority, and executive branch policy must While the U.S. has been preoccupied discussing the
clarify and define agency roles and responsibilities. implications of security in the modern, connected,
Executive policy should include increasing efforts high-bandwidth world, its adversaries have been busy
to define a common and clearly understood lexicon developing exploitative technologies and learning
of cyber domain and cybersecurity terminology.
Presidential guidance and directives will continue Ten Countries Most Frequently
United States
to be vital in helping federal agencies establish Targeted by Cyber Attacks
complementary and collaborative strengths in supporting In 2009, the U.S. was the target of more malicious cyber
U.S. national security. activity than any other nation. Graphic courtesy of CACI
based on data from Symantec Corporation.
Because cyber threats are international in scale and
scope, global coordination and cooperation are essential.
The executive branch must therefore also formulate
China
and execute diplomatic initiatives complementary to
United Kingdom
domestic actions.
Germany
Brazil
Russia
Italy
from experience. They are fully capable of operating misdirected service. They can be obvious, immediately
offensively within cyberspace. The globalization identified events; backdoors that become effective only
of manufacturing products in the information and when a specific set of events occurs in the future; or
communications sectors means that the U.S. and other events that are timed to occur in the future. Not only
highly developed countries, including all the G20 can these attacks immediately disrupt the flow of the
members, are dependent on newly emerging producers goods and services to the warfighter, they can also take
of technology in this space. down entire networks.
The U.S. now finds itself more reliant than ever on By 2017, it is expected that Chinese investment in
converged computer and communications technologies, information technology will surpass that of the U.S. by
more so than almost any other country. While benefiting 5 percent.15 What are U.S. institutions doing to counter
from the efficiencies these technologies bring, the U.S. is this threat? How can DoD develop awareness of the
simultaneously in an increasingly defensive posture with cyber threat in its training, war gaming, simulation, and
adversaries that have identified cyber warfare as the new officer development?
asymmetric weapon of choice.
2.1.1 The Highly Asymmetric Nature
America’s adversaries have come to realize that the very
of Cyber Threats
efficiencies provided by information technology, the very
technologies that enable all modern societies to thrive, During the 1990s, the growing prominence of the infor-
can also be used to efficiently undermine U.S. security. mation technology mass market and the Internet drew
increasing attention to the potential for and emergence of
2.1 The Realities of the Growing new forms of asymmetrical warfare. Experts began to rec-
ognize that converged, networked information technology
Cyber Threat and communications systems reinforced other technical
advances to empower individuals and small groups in un-
The battlespace has changed. Notwithstanding Sun Tzu’s precedented ways that could challenge even the power of
recommendation to “know thy enemy,” the U.S. is no the United States.16
longer dealing with a single known enemy, or even a
handful of known enemies, on known battlefields.13 Cyber actors, from individuals, to criminal groups, to
rogue states and terrorists, can today easily combine to
Instead, the U.S. is dealing with hundreds, even launch a customized cyber threat.
thousands, of attacks daily. They come from known and
unknown adversaries, attacking from multiple entry • Individuals. At the lowest end of the threat spectrum
points. Attacks can come from solitary hackers, inside are uncoordinated individuals acting on their own.
and outside the network, inside and outside U.S. borders, Although some individual actors are highly intelligent
and be intentional as well as unintentional. There are and may pose a risk to systems, their motivation is
also large-scale, coordinated attacks from friendly and often limited to achieving personal satisfaction or
unfriendly countries all over the globe. recognition based on the disruption they hope to cause.
The limited level of resources available to individuals
The highest rate of cyber attacks on U.S. networks – reduces the risk posed by this class of threat.
perhaps surprisingly – is from within the United States.
China is second, and Spain is third.14
15 Ibid.
These attacks are manifested in the form of system 16 Among the analyses that first recognized these possibilities are
John Arquilla, David Ronfeldt, and Michele Zanini, “Networks,
crashes, denials of service, counterfeiting, corrupted Netwar, and Information Age Terrorism,” in Zalmay Khalilzad,
or stolen data, material theft, delivery delays, and John P. White, Andrew W. Marshall (eds.), The Changing Role of
Information in Warfare (Santa Monica, CA: RAND Corporation,
13 Azmi, op. cit. 1999); and Martin Shubik, “Terrorism, Technology and the
14 Ibid. Socioeconomics of Death,” Comparative Strategy, 1997.
• Criminals and Criminal Enterprises. Many threats in Are Americans ready for cyber attacks that can disrupt the delivery of
cyberspace are motivated by personal financial gain essential goods and services? Graphic courtesy of CACI.
or related to criminal acts of vandalism. Criminals and cyber-summit. In the anonymity of cyberspace, common
criminal enterprises within cyberspace have become cause can be found, plans made, and actions coordinated
more organized, including highly organized rings that and taken. The attackers may have never met in person,
traffic in personal information, credit cards, identities, before, during, or after the attack. Attacks can be directed
and other information with value. In many cases, against individuals, corporations, governments, or against
criminal software and hardware development capabilities any combination thereof.
rival those of software and hardware industry leaders.
A commonly used mechanism to describe the degree to
• Terrorists. Because cyberspace offers anonymity, which a system is vulnerable is to describe the “surface
terrorist organizations have begun to use the Internet area” that is exposed to threat. With the many systems
as a key tool to support recruitment, funding, and connected to the Internet, cyberspace exposes a vast
organization goals. Cyberspace provides an easy surface area with innumerable vulnerabilities that a threat
way to fund terrorist activities and transfer resources may exploit.
through anonymous online transactions. It also
provides the means to transfer knowledge and There are literally billions of points from which an attack
provide command and control to support the terrorist can be launched using ordinary technology available
organization. Unlike criminal enterprises, because almost anywhere to anyone. Any software technology
motivations are not driven entirely by greed, terrorist that cannot be found for download on the Internet can be
activities are more difficult to counter. obtained through black or gray market channels. Other
assets, like botnets, can be rented over the Internet.17
• Nation States. Nation states have long recognized
the value of information systems as critical elements The asymmetries of converged computer and communi-
of good governance practice, but they have also been cations technologies available to cyber actors are espe-
used to subvert other nation states’ security. In the cially striking. Beyond an Internet-connected computer,
national security arena, computing systems have the cyber attackers’ marginal technical and operational
long been used to break encrypted messages and resource requirements are low. The barriers of entry to
disrupt communications and command and control cyber actors at all levels of organization are low. The
systems. Because identities are difficult to trace in cost of exploits is low. The cost of launching attacks is
the cyber domain, it is difficult to determine the low. The cost of failure or getting caught is also low.
nation state behind a given attack.
17 A botnet (“robot network”) may be described as a collection of
networked and compromised computers under the remote command and
As far as these cyber actors are concerned, the same
control of a criminal adversary. “Over 1 Million Potential Victims of Botnet
converged computer and communications technologies Cyber Crime,” FBI Press Release, June 13, 2007. Accessed at http://www.
that enable any cyber threat also facilitate a virtual fbi.gov/pressrel/pressrel07/botnet061307.htm on May 25, 2010.
As society becomes better at protecting information • There are asymmetries in the education needed to
technology assets, attackers will look to identify more attack/manipulate vs. protect and defend due to
cost-effective means to carry out their attacks. In the the easy availability of technologies in the global
case of specific, well-protected systems, attackers may marketplace.
already be looking to the supply chain as a potential
vulnerability vector. For a nation state, targeting an • There are major cost asymmetries.18
individual supply chain of a weapons system or a system The highly opportunistic and enigmatic nature of cyber
not connected to the Internet may be the only cost- threats is unlikely to change any time soon.
effective way to affect the balance of power in its favor.
Consider the following scenario. In order to target a spe- 2.2 Cyber Threats Affect Everyone
cific system, the attacker must generally do one of two
things: identify vulnerabilities to establish a foothold and It is clear that the impact of an attack through and on
gain privileged access to the computing resources of the cyberspace will affect all aspects of society. Modern societies
system, or overload the system to cause it to malfunction. are dependent on technology in general and cyberspace
in particular for providing safety and security through the
Ubiquitous vulnerabilities present a great opportunity to effective delivery of essential goods and services.
disrupt systems. The majority of vulnerable systems in
cyberspace are personal workstations or other systems Cyberspace also has become an enabling medium
that have limited value, except to the individual that for communications within society and between the
regularly uses the computer. government and constituents. As modern society
develops, additional cyber capabilities will be adopted,
However, attackers have found ingenious ways to exploit including electronic voting and other technical processes
these low-value computers. Attackers aggregate large groups that will be critical to society’s function in ways that
of such computers into botnets that can be used to overload may be unimaginable today.
systems. The development of botnets by an attacker also
may be a preliminary stage of a larger attack to come.
3.2 Securing the Supply Chain chain to maintain return on investment. To ensure
protection is in place to meet the trajectory of the supply
Protecting supply chains will require a widespread effort. chain threat, incentives must be provided to maintain
While the challenge seems daunting, there are several focus on developing controls within the supply chain.
opportunities available.
The financial services sector provides a good example of
Each element in the supply chain must be examined in a the level of effort required to manage these relationships.
consistent, objective fashion, and the resulting data must Service providers employ standardized mechanisms to
be analyzed to determine its status relative to other ele- transmit information on operational and security risk.
ments to create a common picture. Supply chain networks They use standardized processes to continuously audit and
should be designed to maximize their dependence on tech- assess the effectiveness of security controls. This provides
nology for their resilience, minimizing reliance on human early warning of emerging problems by creating visibility
interventions. This is desirable since there are too few into risks in the operating environment.
people to respond quickly enough to every attack.
An even better example comes from the identification of
To maintain resiliency in the face of a highly fluid cyber controls designed to drive up the costs to an adversary
environment, and an only somewhat more stable physical attacking the supply chain. When the cost of attack is
environment, it is necessary to continually monitor and greater than the cost of implementing controls, defenders
adjust the supply chain. Identifying and maintaining the realize a return on investment.
high ground, not clearly defined in the cyber domain,
This use of the supply chain as a deterrent requires a change
requires a solution expressed in terms of Doctrine,
in perspective. Potential returns should be identified and
Organization, Training, Material, Leader Development,
prioritized to support deterrence efforts. Instead of viewing
Personnel, and Facilities (DOTMLPF).21
the supply chain as a target, it may be time to make it a
Establishing a supply chain in this manner permits the cre- useful control point in defending the national interest.
ation of a response framework based on the ISO 28000
It is critical to have an appropriate high-level focus on the
series, the World Customs Organization, the Department of
long-term strategic need for security within all aspects of
Homeland Security Customs Trade Partnership Against Ter-
the systems development lifecycle. A common language
rorism, and similar standards and approaches.22 It would be a
of supply chain security must also be developed. In
series of supply chain supplier and customer conditions and
many cases, there is a lack of technical underpinnings
risk assessments that allow for a structured assessment of
that support the communication of supply chain integrity
processes and measurement standards. Performance would
information between partners within the supply chain.
be measured and corrective actions taken where necessary.
This approach provides the additional benefit of increased 3.2.1 The Information Technology
efficiency because the time and resources necessary to Supply Chain
inspect a trusted supplier’s products would be minimized,
Threats to information systems security that originate
while focus on products from uncertified suppliers would
from the Internet have consumed public attention. Yet it
be maintained. The result would be reducing the cost and
is safe to say that nothing in today’s supply chain moves
schedule of supply chain shipments where appropriate,
without electrons. Therefore, the security of supply chain
while helping to ensure security of the right product, to the
technology is paramount.
right place, at the right time.
The integrity of the supply chains that produce the
As the U.S. becomes better at resisting the threat to
converged computer and communications systems that
cyberspace, the attackers will be forced into the supply
support all other supply chains is absolutely essential
21 DOTMLPF refers to the standard set of factors to be considered to the integrity of products within each supply chain. If
by the military when establishing a new national security capability. information technology supply chains are insecure, then
22 See the glossary for more information.
• Assurance that systems behave in the manner which can be used to compromise those systems in
intended, and that controls are in place to ensure, combat.25
on a continuous basis from the outset, that new
commands or corrupted protocol messages are • Misdirecting, holding, or delaying shipments.26
prevented from reaching the application. • Substituting counterfeit parts or equipment.27
In sum, the U.S. needs to find a mix of defense in depth • Ordering duplicate parts/equipment.
and defense in breadth, the correct balance of technology
and protective measures that permit affordable and These and other interferences will require resources
functional systems that meet reasonable, yet practical, to track the missteps, and may require reshipment. All
capacity and speed requirements. cause delay and disruption, inefficiency, and mistrust
in the supply system. Deployments may be missed and
missions put on hold. Substitution of counterfeit parts
3.3 Operational Perspectives on can produce a wide range of adverse results, ranging
Securing the National Security/ from short-term mission failure to strategic failures
caused by a compromise of command and control assets.
Defense Supply Chain
DoD efforts in defense of supply chains must be as
The Achilles’ heel of any supply chain is that it is a highly seamless as its adversaries’ means of penetration. To its
fragmented process. For DoD, as for most federal agencies credit, the Department recognizes this as the nation’s
and commercial enterprises, it is difficult to ensure that op- greatest supply chain challenge.
erators, companies, and organizations look beyond their im-
mediate supplier or the next customer in the supply chain.
The U.S. Transportation Command is focused on expanding supply chain No matter how well organizations attempt to prevent
visibility to better protect goods and services delivered to the warfighter. security breaches, no systems are ever totally free from
Seal courtesy of U.S. Transportation Command.
vulnerability, and every system can be compromised in
With the designation of the U.S. Transportation some way. This fundamental realization is essential to
Command (TRANSCOM) as the distribution process developing and sustaining the resilient systems essential
owner for DoD, delivery processes are on the road to mission success.
to improvement. TRANSCOM, having already
experienced no less than 150 cyber attacks, is working When breaches occur, what matters is the ability to
to expand supply chain visibility to a true sense-and- continue to conduct the mission, or to quickly get
respond logistics that reaches back to the suppliers and back online to provide supplies to the warfighter. Or-
forward to the warfighter.28 ganizations must know when supply chains have been
breached, and to what extent. Risk recovery plans must
However, beyond the distribution process for be in place, up-to-date, and well rehearsed. Sufficient
DoD, U.S. and foreign industrial members of the alternate inventories, at alternate locations, must exist
supply chain remain insulated from each other.29 and be accessible in a timely manner. These will be the
Every place there is a seam, there is a vulnerability measure of logistical success, and probably the combat
open to exploitation. The continuing inability to success of the warfighter.
completely integrate the supply chain remains a
significant problem. This issue applies not only to The paradigm shift to a global marketplace has had
new components, equipment, and systems but also to staggering implications for securing DoD supply
items being returned for repair, whether to a depot or chains.32 The U.S. no longer builds all, or even most, of
the original equipment manufacturer. Moreover, it is the information and communications technology that
a concern for every industrial base and supply chain runs its networks.
partner, both public and private. Ten years ago, American industry couldn’t sell a
How might these risks be mitigated? Significant computer chip to friendly nations without violating
aspects of a mitigation plan are possible through the export controls. Now U.S.-branded products made in
application of converged information technology and China and other foreign locations are bought and sold
communications technologies, but employing these routinely. Some sources estimate that as much as 90
technologies must make the situation better; status quo percent of the integrated circuits produced in the world
is not an option. What would these technology-based are made in China. This means that when a Chinese or
risk-mitigation strategies look like? other foreign vendor supplies integrated circuits to DoD,
30 Ibid.
28 Wallace, op. cit. 31 Ibid.
29 Christianson, op. cit. 32 Wallace, op. cit.
Further, federal law must be revised to properly 4.2.1 Aligning Agency Roles
incorporate the private sector and foreign allies. and Responsibilities
Without legislation that supports greater information
sharing, as well as military, intelligence, and logistical Executive branch policy must better clarify and define
support to private sector counterparts and allies, U.S. agency roles and responsibilities. A particular challenge in
cybersecurity efforts will continue to be challenged.42 chartering any central cybersecurity organization concerns
the essential role of converged computer and communica-
tions technologies in every domain of endeavor and every
4.2 Executive Branch Action: federal organization. There will be a corresponding inter-
Developing and Defining Policy weaving of charter responsibilities between the cybersecu-
rity agency and every concerned federal agency.
However carefully crafted, cybersecurity legislation
will not be fully effective without concerted, Currently, “agencies have overlapping and
innovative implementation by the executive branch. uncoordinated responsibilities for cybersecurity
In this regard, President Obama and his recent activities”45 under existing executive branch guidance.
predecessors have promulgated executive agency The CNCI itself faces substantial challenges that cannot
policy initiatives designed to safeguard U.S. national be overcome unless roles and responsibilities of “all
security – including America’s supply chains – key CNCI participants … are fully coordinated.”46
from cyber threats, including previously mentioned Furthermore, greater consideration should be given to
directives like National Security Presidential Directive performance measures within the CNCI. It is critical to
54 (NSPD 54) and Homeland Security Presidential evaluate how well the various government actors are
Directive 23 (HSPD 23). executing on this initiative.47
Among other things, NSPD 54 and HSPD 23 reportedly The Departments of Commerce, Defense, and Homeland
authorized efforts that included “safeguarding Security; the Intelligence Community; and other
executive branch information systems by reducing executive branch entities also have various overlapping
potential vulnerabilities … and anticipating future and potentially competing responsibilities. Presidential
threats.”43 On May 29, 2009, a little over a year policy guidance is required to ensure consistent and
after NSPD 54 and HSPD 23 were formulated, complementary implementation of cyber-related authorities
President Obama directed a 60-day policy review of that have been prescribed to various federal entities.48
“cybersecurity-related plans, programs and activities.”
In addition, DoD, the Office of the Director of National 4.2.2 Defining Terms
Intelligence, and other executive agencies provided
The executive branch must provide policy that precisely
policy guidance for their respective organizations.
and uniformly defines government-wide cybersecurity ter-
Notwithstanding these efforts, cybersecurity must minology. Without a common, clearly understood lexicon
continue to rank among the President’s highest defining key terms and their connotations, federal agencies
priorities.44 This is key to remedying the deficiencies will continue to be hampered in forming and carrying out
that remain, both in developing an overarching the collaborations necessary to address cyber threats.
strategic approach to cyber threats, and in prescribing
rules to interpret and implement aspects of specific 45 Ibid.
cybersecurity initiatives. 46 Ibid.
47 Azmi, private communication.
48 The Department of Commerce’s NIST, for example, was directed
42 Langevin, op. cit. under the Independence and Security Act of 2007 to oversee various
43 Gregory C. Wilhusen and Davi M. D’Agostino, Cover letter to initiatives related to reducing various cyber threats and facilitating
Government Accountability Office (GAO) Report on Cybersecurity, an interoperable infrastructure for many agencies. Meanwhile, other
GAO-11-338, March 5, 2010. departments have similar and seemingly overlapping and/or possibly
44 Hon. C.A. Ruppersberger, CACI-USNI symposium comments. conflicting mandates.
technology infrastructure can be thought of as a potential In general, Internet capabilities must be developed to
threat, ready without warning to disclose secrets, promote enhance the ability to attribute responsibility for cyber
falsehoods, or damage critical property. acts to individual networks, computers on the network,
and ultimately to a unique human identity. Similarly,
Applied to the cyber domain, deterrence tailored additional capabilities must be developed that allow for
to the attribution of cyber attack or manipulation is better control of identified risks and those that have yet to
remarkably hard, owing to the pervasive anonymity be discovered.
of the cyber domain.67 Creating systems that would
offer better attribution is part of the solution, because The U.S. must couple defense and prevention with a will-
at present perpetrators in the cyber domain have little ingness to actively respond to threats to the cyber supply
risk of being identified and punished for their actions. chain. The government must pursue the development of
However, with current technology, it is not easy to necessary diplomatic, policy, and legal tools to protect na-
associate the cyber attack or manipulation with a tional security and economic interests in a world that the
source computer. Even if new technologies could better U.S. has been instrumental in shaping. Like the Cold War,
identify a source computer, because of botnets and where at the outset the U.S. struggled to maintain parity, it
other forms of cyber manipulation, it is not a given that needs to invoke and focus the national will and devote the
the owner(s) of the computer took part in the attack. necessary resources to ensuring it achieves and sustains
Attribution is far from simple, and unlike nuclear cyber superiority.
weapons, cyber weapons are ubiquitous.
To properly support our ability to deter attacks against
Traditionally, cybersecurity has focused on purely our cyber and supply chain processes, the U.S. must
defensive strategies. Recognizing that the current also devote resources to developing capabilities that will
threat environment consists of constant attack, and ensure the country has the proper cyber technologies
that advanced persistent threats from determined and trained personnel to take their place among the
adversaries are continuously in play, dictates that other other instruments of national power. In particular, the
strategies be deployed. nation must build the capability to collect and analyze
The U.S. government has employed tried and true information related to the cyber capabilities of our
organizational methods through initiatives like creating adversaries, whether criminals, terrorists, or nation states.
the U.S. Cyber Command and recommissioning the 10th This is essential to ensuring early warning of impending
Fleet.68 At the same time it has recognized, in standing attacks, notification of attacks in progress, and forensics
up the command, that the sheer interconnectedness of following an attack.
the cyber domain makes it something altogether different
In addition, as majority owners of the U.S. critical
from familiar arenas. Since “comprehensive terminology
infrastructure, the private sector must be included in
and rules for cyberspace have yet to be developed, even
the deterrence and defense plans. To support its role,
articulating cyberspace threats and identifying options
for countering them is extremely difficult.”69
“Cyber threats can originate from anywhere, at any
67 Chabinsky, op. cit. time, and their credibility is difficult to determine.
68 The chief of naval operations (CNO) officially established the Unlike traditional warfare, the size of an arsenal is not
U.S. Fleet Cyber Command and recommissioned the U.S. 10th Fleet
necessarily a deterrent. The United States is considered
on Jan. 29, 2010. This was part of the CNO’s vision to achieve the
integration and innovation necessary for warfighting superiority to have the most powerful cyber capabilities, but it’s still
across the maritime, cyberspace, and information domains. The 10th a primary target. Anyone with a network connection is
Fleet was first established in 1941 as the lead for anti-submarine
warfare. The global responsibility of today’s 10th Fleet is comparable a potential target, making the damage easier to inflict
to that of its predecessor, which protected American forces through and with greater potential consequences.”
the use of intelligence and information.
69 Hon. Michael Chertoff, comments from CACI-USNI – Dr. J.P. (Jack) London
Asymmetric Threats Symposium Three.
the unprecedented scope of the challenge demands an The campaign must forthrightly and directly address a
equally unprecedented effort. Tried and true approaches series of highly sensitive issues, including open society
may offer something of value to the U.S. response, but vs. open cyberspace; anonymity vs. privacy and the
they will be inadequate if they are not reinforced with Constitutional right to privacy; and assignment and
genuinely innovative approaches to policy. In particular, acceptance of responsibility.
alliances that emphasize flexibility and agility must be
formed among all segments of society, its institutions,
and individual members.
5.3 Defining Cybersecurity
Success
5.2 Recommendations Without a refined evaluation protocol, gauging the
nation’s success in countering cyber threats will prove
There are a number of specific recommendations at least as elusive as assessing the efficacy of America’s
that follow from the conclusions that arose from the response to the more conventional – yet asymmetric –
symposium. These appear below. terrorist attack of September 11, 2001.
A highly reputable public and private consortium should The absence of a successful large-scale cyber assault
be formed to implement these recommendations. The against the U.S. only provides a false sense of security.
consortium’s goal will be to give the public practical,
actionable information that will empower individuals Similarly, for industry the imperatives must be shared
and organizations to understand the significance of the between corporations, government, customers, and
safe use of all Internet-connected devices, as well as each the investment community. The role of the investment
individual’s responsibility in protecting all other users. community is of particular importance because of the
Recommendations
Recommendation 1 – The U.S. needs to aggressively pursue a comprehensive national security policy that
ensures the nation is prepared to react to and preempt cyber attacks on systems and critical infrastructure on
which American society depends.
Recommendation 2 – Supply chain security must be part of the establishment of an overall cyber
intelligence capability that ensures situational awareness and the continuous monitoring of cyber threats.
This capability would include collecting, analyzing, evaluating, and disseminating critical cyber intelligence
with both national and international partners, as well as developing and implementing appropriate response
mechanisms.
Recommendation 3 – The U.S. must develop the ability to build a small number of computer and
communication systems that are absolutely certain to be secure. These would be systems built outside of the
normal supply chain, from critically secured components sourced only from the U.S. and trusted allies. The
cost would be significant, but the effort would ensure the availability of at least a limited number of assured
systems architected from hardware and software components that have not been compromised and which can
operate with confidence in support of critical activities for key government functions.
Recommendation 4 – The U.S. needs to develop and sustain a strategic communications campaign to provide
the public with a realistic appreciation of the cyber threat.
Cyber attack – Generally an act that uses computer initiative. Overseen by U.S. Customs and Border
code to disrupt computer processing or steal data, often Protection, C-TPAT is designed to build cooperative
by exploiting a software or hardware vulnerability or a relationships that strengthen and improve overall
weakness in security practices. Results include disrupting international supply chain and U.S. border security. See
the reliability of equipment, the integrity of data, and the also http://www.cbp.gov/xp/cgov/trade/cargo_security/
confidentiality of communications. As technologies and ctpat/what_ctpat/ctpat_overview.xml and http://www.
cyberspace capabilities evolve, the types and nature of supplychainsecurity.biz/index.htm.
cyber attacks are also expected to evolve, so that current
definitions should be viewed as foundational rather than Doctrine, Organization, Training, Material,
final. See also Botnets, Cybercrime, and Cyberterrorism: Leader Development, Personnel, and Facilities
Vulnerabilities and Policy Issues for Congress, (DOTMLPF) – The standard set of factors to be
Congressional Research Service Report for Congress, considered by the military when establishing a new
updated January 29, 2008. Accessed at http://www.fas.org/ national security capability. See also Joint Publication
sgp/crs/terror/RL32114.pdf. 1-02, Department of Defense Dictionary of Military and
Associated Terms.
(U.S.) Cyber Command – A subordinate unified
command under U.S. Strategic Command. It was Federal Information Security Management Act – Title
created in June 2009 and achieved initial operational III of the E-Government Act (Public Law 107-347)
capability in May 2010. Headquartered at Fort Meade, of 2002. It recognizes the importance of information
MD, it centralizes command of cyberspace operations security to the economic and national security interests
with service elements that include the Army Forces of the U.S. and requires each federal agency to develop,
Cyber Command; 24th USAF; Fleet Cyber Command; document, and implement an agency-wide program
and Marine Forces Cyber Command. See also the to provide information security for the information
Cyber Fact Sheet at http://www.defense.gov/home/ and information systems that support the operations
features/2010/0410_cybersec. and assets of that agency, including those provided
or managed by another agency, contractor, or other
Cyber criminals – Individuals or groups whose criminal source. See also http://csrc.nist.gov/groups/SMA/fisma/
conduct is primarily through or are dependent on overview.html.
operating through cyberspace/cyber domain.
Gilmore Commission – A federally chartered
Cyber manipulation – A cyber attack involving an commission formally known as the Advisory Panel to
information operation resulting in a compromise of the Assess Domestic Response Capabilities for Terrorism
operation or product delivered through a supply chain. Involving Weapons of Mass Destruction. Chaired
For example, products are delivered to the wrong place, by former Virginia Governor James S. Gilmore, the
at the wrong time, or not at all, or there is a quality or commission was formed in 1999 and made five reports
type problem. to the President and Congress between 1999 and 2003.
See also http://www.rand.org/nsrd/terrpanel.
Cyber terrorists – Those who commit acts of
cyberterrorism. Government Accountability Office (GAO) Report on
Cybersecurity – A report by GAO to Congress in which
Cyber threats – Natural or manmade incidents GAO provided requestors with (1) what actions have
(intentional or unintentional) that would be detrimental been taken to develop interagency mechanisms to plan
to the cyber domain, or which are dependent on or and coordinate Comprehensive National Cybersecurity
operate through cyberspace/cyber domain. Initiative (CNCI – see above) activities and (2) what
DHS Customs Trade Partnership Against Terrorism challenges CNCI faces in achieving its objectives related
(C-TPAT) – A voluntary government-business initiative to securing federal information systems. Published
considered the first worldwide supply chain security March 5, 2010. See also http://www.gao.gov/new.items/
d10338.pdf.
Homeland Security Presidential Directive 23 (HSPD Supply chain – Starting with unprocessed raw
23) – One of two directives issued by President George materials and ending with the final customer using the
W. Bush in 2008 (the other being National Security finished goods, the supply chain links many companies
Presidential Directive 54, see below) that formalized a together. Also defined as the material and informational
series of continuous efforts to further safeguard federal interchanges in the logistical process stretching from
government systems and reduce potential vulnerabilities, acquisition of raw materials to delivery of finished
protect against intrusion attempts, and better anticipate products to the end user. All vendors, service providers
future threats. See also http://www.dhs.gov/xnews/ and customers are links in the supply chain. See also
releases/pr_1207684277498.shtm. http://cscmp.org/digital/glossary/glossary.asp.
Host-based security system (HBSS) – A system based Strategic communication – Focused government
on an approach to cybersecurity that shifts focus efforts to understand and engage key audiences to
from perimeter security and authentication controls create, strengthen, or preserve conditions favorable for
to internal factors. This includes reassessing physical the advancement of government interests, policies, and
and procedural security practices and considering objectives through the use of coordinated programs,
vulnerability assessments of systems, applications, plans, themes, messages, and products synchronized
and interactions with other hosts. See also http://www. with the actions of all instruments of national power.
windowsecurity.com/articles/Science_Host_Based_
Security.html. (U.S.) Transportation Command – Provides air, land,
and sea transportation for the Department of Defense.
ISO 28000 Series – The International Organization for Located at Scott Air Force Base, IL, the command
Standardization’s specification for security management is composed of three component commands: the
systems for the supply chain. See also http://www.iso. Army’s Military Surface Deployment and Distribution
org/iso/catalogue_detail?csnumber=44641. Command; the Navy’s Military Sealift Command; and
the Air Force’s Air Mobility Command. See also http://
National Security Presidential Directive 54 (NSPD www.transcom.mil.
54) – One of two directives issued by President George
W. Bush in 2008 (the other being Homeland Security World Customs Organization – An intergovernmental
Presidential Directive 23, see above) that formalized a organization exclusively focused on customs matters. It
series of continuous efforts to further safeguard federal works in areas that include supply chain security and the
government systems and reduce potential vulnerabilities, facilitation of international trade. See also http://www.
protect against intrusion attempts, and better anticipate wcoomd.org/home.htm.
future threats. See also http://www.dhs.gov/xnews/
releases/pr_1207684277498.shtm.
Acknowledgments
Symposium Participants (alphabetical order)
Zalmai Azmi C.A. Dutch Ruppersberger (D-MD) Jeff Wright
Senior Vice President, U.S. House of Representatives Senior Vice President,
Enterprise Technologies and Services Group, Enterprise Technologies and Services Group,
CACI International Inc
Loretta Sanchez (D-CA) CACI International Inc
U.S. House of Representatives
Robert J. Carey
Chief Information Officer, William S. Wallace Editor
Department of the Navy General, USA (Ret); CACI Board of Directors Michael Pino
David M. Wennergren Publications Principal,
Edward J. Case
Deputy Assistant Secretary of Defense for CACI International Inc
Acting Director, Information Operations,
Chief Information Officer, Defense Logistics Information Management and Technology and
Agency DoD Deputy Chief Information Officer Reviewer
Steven R. Chabinsky Thomas L. Wilkerson Z. Selin Hur
Major General, USMC (Ret); Strategic Programs Development, Principal,
Deputy Assistant Director, Cyber Division,
Chief Executive Officer, USNI CACI International Inc
Federal Bureau of Investigation
Claude V. “Chris” Christianson Authors Graphic Design
Lieutenant General, USA (Ret); Director of
the Center for Joint and Strategic Logistics, Hilary Hageman Chris Impink
Vice President, Legal Division, CACI Graphic Artist, CACI International Inc
National Defense University
International Inc
Paul Cofoni Art Direction
President and Chief Executive Officer, Ian Harper
CACI International Inc Senior Director, Enterprise Technologies and
Steve Gibson
Creative Director, CACI International Inc
Services Group, CACI International Inc
Gordon R. England
Former Deputy Secretary of Defense and Stan Poczatek
Philip M. Sagan, Ph.D. Senior Designer, CACI International Inc
former Secretary of the Navy Executive Director, National Solutions Group,
CACI International Inc
James S. Gilmore, III Publisher and Editor-in-Chief
Former Governor of the Commonwealth of Alan Weyman
Virginia; CACI Board of Directors Dr. J.P. (Jack) London
Vice President, Enterprise Technologies and Executive Chairman, CACI
Vergle Gipson Services Group, CACI International Inc International Inc; Former CEO,
Chief of the Analysis Office, National Security CACI International Inc
Agency/Central Security Service Threats Advisors
Operation Center Zalmai Azmi Communications Executive
Jim R. Langevin (D-RI) Senior Vice President, Jody Brown
U.S. House of Representatives Enterprise Technologies and Services Group, Executive Vice President,
CACI International Inc Public Relations,
Dr. J.P. (Jack) London
Executive Chairman, CACI Paul Cofoni CACI International Inc
International Inc; Former CEO, President and Chief Executive Officer,
CACI International Inc CACI International Inc Program Managers
Dr. Bruce McConnell Chas Henry Philip M. Sagan, Ph.D.
Counselor to the National Protection Executive Director of Communications, USNI Executive Director, National Solutions Group,
and Programs Directorate Deputy Under CACI International Inc
Secretary, Department of Homeland Security Dr. J.P. (Jack) London
Executive Chairman, CACI
Jeff Wright
Dr. Warren Phillips Senior Vice President,
International Inc; Former CEO,
Professor Emeritus, University of Maryland; Enterprise Technologies and Services Group,
CACI International Inc
CEO/COB, Advanced Blast Protection; CACI CACI International Inc
Board of Directors Dr. Warren Phillips Cyber Threats to National Security –
Professor Emeritus, University of Maryland;
Tom Ridge Countering Challenges to the Global
CEO/COB, Advanced Blast Protection; CACI
Former Secretary of the Department of Supply Chain was held on March 2, 2010
Board of Directors
Homeland Security at Fort Myer, Arlington, Virginia.
http://asymmetricthreat.net
The site includes downloadable white papers from each symposium and serves
as a knowledge network to advance the dialogue on national and global security,
presenting resources and original research, and providing a forum for review and
discussion of pertinent themes and events.
July 2010
© CACI 2010